Tag: Delaware

Delaware Adds to Growing Patchwork of Social Media Laws

On August 7, Delaware Governor Jack Markell signed a law to prohibit employers from interfering with the personal social media accounts of their prospective and current employees.  The new law, which also took effect on August 7, defines “personal social media” to encompass any account on a social networking site created and operated by a prospective or current employee exclusively for his or her personal use.  The term does not include accounts created or operated by an employer and that are operated by an employee as part of his or her employment.

Specifically, the new law prohibits an employer from requesting or requiring a prospective or current employee to:

  • disclose a username or password for the purpose of allowing the employer to access personal social media;

  • access personal social media in the presence of the employer;

  • use personal social media as a condition of employment;

  • divulge any personal social media (except as otherwise permitted by the new law);

  • add a person, including the employer, to the list of contacts associated with the prospective or current employee’s personal social media,

  • invite or accept an invitation from any person, including the employer, to join a group associated with the prospective or current employee’s personal social media; or

  • alter settings on the prospective or current employee’s personal social media that affect a third party’s ability to view the contents of the medium.

The new law also forbids an employer from taking adverse action against a prospective or current employee for failing to comply with any of these requests or demands.

Despite these broad prohibitions, nothing in the new law prevents an employer from:

  • exercising its right or obligation under its personnel policies, federal or state law, case law, or other rules or regulations to require or request that an employee divulge a username, password, or social media “reasonably believed to be relevant” to an investigation of alleged employee misconduct or violation of applicable laws and regulations (so long as the social media is used solely for purposes of that investigation or a related proceeding);

  • requiring or requesting an employee to disclose a username, password, or other accessing credentials for (i) an electronic communication device supplied by or paid for in whole or in part by the employer; or (ii) an account or service provided by the employer, obtained by virtue of the employee’s employment relationship, or used for the employer’s business purposes;

  • accessing, blocking, monitoring, or reviewing electronic data stored on an employer’s network or on an electronic communications device supplied by or paid for in whole or in part by the employer;

  • complying with a duty to screen prospective or current employees, or to monitor or retain employee communications, (i) under federal or state law or by a self-regulatory organization, as defined in the Securities and Exchange Act of 1934 (like FINRA); or (ii) in the course of a law enforcement employment application or officer conduct investigation performed by a law enforcement agency; or

  • accessing, using, or viewing information about a prospective or current employee otherwise available in the public domain.

The new Delaware law continues a growing trend across the country.  Twenty-one other states have similar laws restricting employer access to a prospective or current employee’s personal social media account, including Arkansas, California, Colorado, Connecticut, Illinois, Louisiana, Maryland, Michigan, Montana, Nevada, New Hampshire, New Jersey, New Mexico, Oklahoma, Oregon, Rhode Island, Tennessee, Utah, Virginia, Washington, and Wisconsin.

ARTICLE BY Katharine H Parker & Daniel L. Saperstein of Proskauer Rose LLP

© 2015 Proskauer Rose LLP.

New State Privacy Laws Go Into Effect on Jan. 1, 2015 (California and Delaware)

State legislators have recently passed a number of bills that impose new data security and privacy requirements on companies nationwide. The laws include new data breach notification requirements, marketing restrictions, and data destruction rules. Below is an overview of the new laws and amendments that will go into effect on January 1, 2015.

Amendments to California’s Data Security and Breach Notification Law

In October 2014, California Governor Jerry Brown signed into law California bill AB 1710, an amendment to California’s existing data security and breach notification law. As a result, the following changes to California’s law will go into effect on Jan. 1:

1. Companies that maintain personal information about Californians will need to implement and maintain reasonable security procedures and practices.

California’s current data security and breach law requires companies that own or license personal information about Californians to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”  For purposes of this data security requirement, California defines “personal information” as an individual’s first name (or first initial) and her last name in combination with her social security number, driver’s license or California ID number, any medical information, or a financial account number (such as a credit or debit card number) and the associated access code.

Under existing law, the terms “own” and “license” include personal information retained as a part of a business’s internal customer accounts or for the purpose of using the information in transactions.

As of Jan. 1, California law will require companies that merely “maintain” personal information about Californians (such as cloud providers), but do not own or license the information, also implement and maintain reasonable security procedures and practices appropriate to the nature of the information.

2. Companies that maintain personal information about Californians will be required to immediately notify the owner or licensee of the personal information in the event of a breach.

California currently requires companies that own or license personal information to disclose a data breach where it is reasonably believed that unencrypted personal information about a Californian was acquired without authorization. Current law also provides that such disclosure be made “in the most expedient time possible and without unreasonable delay.”

As of Jan. 1, companies that maintain personal information will be required to notify the owner or licensee of the personal information “immediately” after discovery of a breach if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

For purposes of data breach disclosure, “personal information” includes login credentials (“[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account,”) as well as an individual’s first name (or first initial) and her last name in combination with her social security number, driver’s license or California ID number, any medical information, or a financial account number (such as a credit or debit card number) and the associated access code.

As a reminder, other than for user name and password breaches (discussed below), current California law requires that a breach notification must be written in plain language and must include specific types of information about the breach.

Where the security breach involves the breach of online account information and no other personal information, then California law requires a business to provide the security breach notification in electronic or other form, directing the person whose personal information has been breached to promptly change her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with that business as well as all other online accounts for which the person uses the same name or email address and password or security question or answer.

However, where the security breach involves the breach of login credentials of an email account provided by a business, the business must not send the security breach notification to that email address. Instead, the business may comply with California law by providing notice by hard copy written notice or by clear and conspicuous notice delivered to the individual online when the individual is connected to the online account from an IP address or online location from which the business knows the resident customarily accesses the account.

3. After a breach, companies might be required to provide free identity theft prevention and mitigation services for 12 months.

AB 1710’s co-author stated in a press release that the bill “[r]equires the source of the breach to offer identity theft prevention and mitigation services for 12 months at no cost to individuals affected by a data breach. However, it is not clear whether this position is supported by the text of the bill, which only states that “if any” identity theft prevention and mitigation services are to be provided, then such services must be provided for 12 months at no cost.  An earlier version of the bill had stated that identity theft and mitigation services “shall beprovided” to individuals affected by a data breach.

Given the ambiguity of the requirement to provide free identity theft prevention and mitigation services, whether and how this provision will be enforced in 2015 is something to watch.

4. Companies may not sell, advertise for sale, or offer to sell an individual’s social security number.

The amendment also includes a new prohibition on social security numbers. As of Jan. 1, California law will prohibit the sale, the advertisement for sale, and the offer to sell an individual’s social security number. Businesses that own, license, or maintain information on an individual’s social security number will want to keep this new prohibition in mind when contemplating data transfer or broker agreements, or other transactions involving the personal information of Californians.

California’s New Minor Privacy Marketing and Privacy Law

California’s “Privacy Rights for California Minors in the Digital World Law”, SB 568, (1) bars some online operators from marketing certain products and services to minors, and (2) allows minors under 18 to request deletion of certain content from websites on which they have registered (known informally as the “eraser law.”)

1. Restrictions on Marketing to Minors

Operators of websites, online services, online applications, and mobile applications that are directed to minors are prohibited from marketing or advertising the following products and services:

  • Alcoholic beverages

  • Tobacco, cigarette, or cigarette papers, or blunt wraps, or any other preparation of tobacco, or any other instrument or paraphernalia that is designed for the smoking or ingestion of tobacco, products prepared from tobacco, or any controlled substance

  • Electronic cigarettes

  • Salvia divinorum or Salvinorin A, or any substance or material containing Salvia divinorum or Salvinorin A

  • Drug paraphernalia

  • Firearms or handguns, ammunition or reloaded ammunition, handgun safety certificates, BB device

  • Less lethal weapons

  • Dangerous fireworks

  • Aerosol containers of paint capable of defacing property

  • Etching cream capable of defacing property

  • Tanning in an ultraviolet tanning device

  • Dietary supplement products containing ephedrine group alkaloids

  • Tickets or shares in a lottery game

  • Body branding or permanent tattoos

  • Obscene matter

These operators also are prohibited from: (1) knowingly using, disclosing, or compiling a minor’s personal information for the purposes of marketing or advertising any of those prohibited products or services, and (2) knowingly allowing a third party to use, disclose, or compile the minor’s personal information to market or advertise these products or services.

If an operator has actual knowledge that a minor is using the services, the operator may not target marketing or advertising to that minor based on the minor’s personal information.  The operator also may not use, disclose, or compile the minor’s personal information to market or advertise the prohibited products or services, nor may the operator allow a third party to use, disclose, or compile the minor’s personal information for the prohibited products and services.

2. Deletion Requirement

If a minor is a registered user of a website, online service, online application, or mobile application, the operator must allow the minor to remove content and information that the minor had publicly posted on the website, service, or app.  Operators also are required to provide notice of this right to registered minors.

Operators are not required to delete content or information if:

  • Any federal or state law requires the operator to maintain the content or information;

  • The content or information was provided by an individual other than the minor;

  • The content or information is anonymized;

  • The minor did not properly follow the instructions for requesting deletion; or

  • The minor received compensation or consideration for providing the content.

Amendments to California’s Invasion of Privacy Law

California’s Invasion of Privacy law will also receive an update on January 1, 2015. The California Invasion of Privacy law currently prohibits the attempt to capture, in a manner that is offensive to a reasonable person, any type of visual image, sound recording, or other physical impression, when the person is engaged in a personal or familial activity under circumstances where they had a reasonable expectation of privacy. Current California law prohibits the activities described where the attempt to capture is done through a visual or auditory enhancing device. As of January 1, 2015, the above activities will be prohibited when done using any device.

New Delaware Data Destruction Law

Companies conducting business in Delaware will be required to take all reasonable steps to destroy or arrange for the destruction of a consumer’s personal identifying information when those records are no longer retained. Destruction may occur by shredding, erasing, or otherwise destroying or modifying the personal identifying information so as to render the information unreadable or indecipherable.

The Delaware law defines personal identifying information as a consumer’s first name or first initial and last name in combination with one of the following: signature; date of birth; social security number; passport number; driver’s license or state identification card number; insurance policy number; financial services account number, bank account number, credit card number, or other financial information; or confidential health care information.

Entities subject to the Gramm-Leach-Bliley Act, covered entities subject to HIPAA, and consumer reporting agencies subject to the FCRA are exempt from the new law. Other entities, however, may be subject to private enforcement actions, which allow for the recovery of treble damages. These have the potential to add up quickly, as each record unreasonably disposed of constitutes a violation under the statute. In addition, the Delaware Attorney General and Division of Consumer Protection of the Department of Justice may bring suit in certain circumstances.

ARTICLE BY

David N. Fagan
Kurt Wimmer
Jeff Kosseff
Katherine R. H. Gasztonyi
OF
Covington & Burling LLP

After Legislature Acts, Delaware Ready to Become 2nd State to Legalize Online Gaming

Recently published in The National Law Review was an article by Griffin Finan of Ifrah Law regarding Delaware and Online Gaming:

Delaware is now poised to become the second state to legalize online gaming. On Wednesday, that state’s Senate passed a bill that would legalize web table games, including poker, video lottery games, and traditional lottery games to be offered online.

Democratic Governor Jack Markell supports the bill and is expected to sign it into law soon. Earlier in the month the bill passed the state’s house of representatives by a 29-8 vote.

The bill, known as the Delaware Gaming Competitiveness Act of 2012, would authorize the state lottery and the three racetrack casinos it regulates to offer various form of Internet gambling, including poker. The bill would also authorize NFL parlay betting and keno. Games likely would not be live until early 2013.

After the bill is signed into law, Delaware will become the second U.S. state, after Nevada, to legalize online gaming. Nevada recently issued its first licenses authorizing companies in the state to offer online poker.

After the Department of Justice issued a legal opinion last December that purely intrastate online gaming did not violate the Wire Act, several states have explored legalizing online gaming to generate revenue and create jobs. The Delaware bill was motivated in part by efforts to retain jobs at the state’s racetrack casinos and to generate revenue for the state. The State Department of Finance projects that the bill would generate $7.75 million in new state revenues.

The small population of Delaware makes it unclear if there will be enough people to support the games. The law allows the state to explore compacts with other states to share gamers. Rhode Island and West Virginia have been mentioned as states that would be interested in such a compact, but those states would need to pass similar legislation to put a compact into effect.

The state lottery will operate the online gambling sites and is required to use verification systems to ensure that gamers are within the state and minors are excluded.

We support Delaware’s efforts to legalize online gaming in the interests of bringing jobs and badly needed revenue to the state. We will see if this leads to other states passing similar laws.

© 2012 Ifrah PLLC